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Abstract. Multi-protocol attacks due to protocol interaction has been 
a notorious problem for security. Gutman-Thayer proved that they can 
be prevented by ensuring that encrypted messages are distinguishable 
across protocols, under a free algebra [T]. In this paper, we prove that a 
similar suggestion prevents these attacks under commonly used operators 
such as Exclusive-OR, that induce equational theories, breaking the free 
algebra assumption. 

1 Introduction 

It is quite common for users to simultaneously run multiple cryptographic pro- 
tocols on their machines. For instance, a user might connect to a web site using 
https that uses the SSL protocol and also connect to another remote server us- 
ing the SSH protocol. It is also quite common for a single protocol to consist of 
multiple sub-protocols. 

A protocol might be secure when running in isolation, but not necessarily 
when running parallely with other protocols. In fact, Kelsey et al. [5] showed that, 
for any given secure protocol, it is always possible to create another protocol to 
break the original protocol. In an interesting practical study, Cremers analyzed 
30 published protocols and reported that 23 of them were vulnerable to multi- 
protocol attacks [3. . Thus, they are a genuine and serious threat to protocol 
security. 

In an outstanding work, Guttman- Thayer proved that, if encrypted messages 
are tagged with distinct protocol identifiers, multi-protocol attacks can be pre- 
vented [T]. For instance, if the notation [t]k denotes message t encrypted with 
key k, then encryptions in the SSL protocol should resemble [SSL, ti]ki and those 
in the SSH protocol should resemble [SSH, t2]fc2- With such tagging in place, it 
will not be possible for an attacker to replay encryptions across protocols, since 
users would check and verify the tags upon receipt of messages. 

However, Guttman-Thayer considered a basic protocol model where opera- 
tors for constructing messages (such as encryption algorithms) do not induce 
equations between syntactically different messages, such as [t]k = [k]t. Most 
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"real-world" protocols such as SSL violate this assumption, and use operators 
that do induce equational theories, such as Exclusive-OR (XOR). It is extremely 
important to revisit Guttman- Thayer result under these operators, since such 
operators have been demonstrated to cause new attacks on protocols that are 
not possible under a free algebra [1]. 

This is the problem we consider in this paper: We prove that a tagging scheme 
that is similar to Guttman-Thayer's prevents multi-protocol attacks under the 
XOR operator and the ACUN theory induced by it. Our proof strategy is general, 
and could be used for other equational theories such as ACU.Idempotence and 
ACU, Inverse. We give some intuitions for this in our conclusion. 

Organization. In Section [2] we introduce our formal framework including the 
term algebra, protocol model, constraint satisfaction, security properties and 
our main protocol design requirements. In Section|3j we prove a lynchpin lemma 
that we use in Section|4]to achieve the main result. We conclude with a discussion 
of future and related works. 

2 The Framework 

In this section, we formalize our framework to model and analyze protocols. 
2.1 Term Algebra 

We will start off with the term algebra. We derive much of our concepts here 
from Tuengerthal's technical report [5j where he has provided an excellent and 
clear explanation of equational unification. 

We denote the term algebra as T{F, Vars), where Vars is a set of variables, 
and F is a set of function symbols or operators, called a signature. The terms in 
T{F, Vars) are called F- Terms. Further, 

- Vars C T{F, Vars); 

- (V/ e F)(arity(/) > OAii, . . . ,i„ € T{F, Vars) ^ f{t^, . . . ,t„) G T{F, Vars)). 

The set of nuUary function symbols are called constants. We assume that 
every variable and constant have a "type" such as Agent, Nonce etc. 
We define F as StdOps U {XOR} U Constants, where, 

StdOps = {sequence, penc, senc,pk, sh}. 

penc and senc denote asymmetric and symmetric encryption operators re- 
spectively, pk and sh denote public-key and shared-key operators respectively. 
We assume that they will always be used with one and two arguments respec- 
tively, that are of the type Agent. 

We use some syntactic sugar in using some of these operators: 
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sequence{ti, . . . , f„) 
penc{t, k) 
senc{t, k) 
XOR(ti,...,t„) 

We will omit the superscripts O and for encryptions if the mode of en- 
cryption is contextually irrelevant. 

We will write "i in [ti, . . . if t e {t\, . . . ,t„}. We will write ti -<t tj if 
U, tj \r\t,t=[ti,..., tn] and i < j. 

We define the subterm relation as follows: t C iff = f{ti, . . . ,tn) where 
f e F and t C t" for some t" e {ti, . . . , i„}. 

We will use functions Vars{), Constantsi), and SubTermsQ on a single term 
or sets of terms, that return the variables, constants and subterms in them 
respectively. For instance, if T is a set of terms, 

SubTerms{T) = {t | {3t' G T){t C t')}. 

We will now introduce equational theories and equational unification. 

Definition 1. [Identity and Equational Theory] Given a signature F, and 
set of variables Vars, a set 0/ identities E is a subset ofT{F, Vars) xT{F, Vars). 

We denote an identity as t = t' where t and t' belong to T{F, Vars). An equa- 
tional theory (or simply a theory) =e is the least congruence relation onT{F, Vars), 
that is closed under substitution and contains E. i.e., 

i? is a congruence relation on T{F, Vars), E C R, and 1 
{\fa){t^t' e R^ta ^t'a e R) j 

For the signature of this paper, we define two theories, STD and ACUN. 
The theory STD for StdOps-Tevms is based on a set of identities between 
syntactically equal terms, except for the operator sh: 

{[til — [^Ij • • • jtn], 

h(t) = h{t), 
sigk{t) = sigk{t), 
pk{t) = pk{t), 
[t]k — [t]k, 

Sh{ti,t2) = Sh{t2,ti)}. 

The theory ACUN is based on identities solely with the XOR (©) operator: 

{tl e {t2 e ts) = {ti®t2)®t3,ti®t2=t2®ti,t®0^t,t®t^ 0}. 

We will now describe equational unification. 



[tl, ■ ■ ■ , tn] , 
= [t]k, 

= wr, 

= • • • ^n* 
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Definition 2. [Unification Problem, Unifier, Unification Algorithm] 

If F is a signature and E is a set of identities, then an -Unification Problem 
over F is a finite set of equations 



between F -terms. A substitution a is called an _E-Unifier for F if (Vs =^e t G 
r){sa =E ta). Ue{F) is the set of all E- Unifiers of F . A E-Unification Problem 
is called i^-Unifiable iffUsiF) ^ {}. 

A complete set of E- Unifiers of an E-Unification Problem F is a set C of 
idempotent E-Unifiers of F such that for each 9 G Ue{F) there exists a G C 
with a >E 0, where >e is a partial order on Ue{F). 

An E-Unification Algorithm takes an i?-Unification Problem F and returns 
a finite, complete set of i?-Unifiers. 

Hence forth, we will abbreviate "Unification Algorithm" to UA and "Unifi- 
cation Problem" to UP. 

Two theories = Ei and = E2 are disjoint if the signatures used in the identi- 
ties El and E2 have no common operators. UAs for two disjoint theories may 
be combined to output the complete set of unifiers for UPs made using oper- 
ators from both the theories, using Baader & Schulz Combination Algorithm 



BSCA first takes as input a {Ex U i?2)-UP, say F, and applies some trans- 
formations on them to derive /5.1 and 15.2 that are sets of i?i-UPs and i?2-UPs 
respectively. It then combines the unifiers for /5.1 and 15.2 obtained using £^1- 
UA and i?2-UA respectively, to return the unifier(s) for F (see Appendix |A] 
Def.[7]). Further, if F is {Ei U £;2)-Unifiable, then there exist F^.i and Fz,2 that 
are iJi-Unifiable and i?2-Unifiable respectively. 

We give a more formal and detailed explanation of BSCA in Appendix [A] 
using an example UP, for the interested reader. 

2.2 Protocol Model 

Our protocol model is based on the strand space framework fTl. 

Definition 3. [Node, Strand, Protocol] A node is a tuple (±, t) denoted 
±i where t e F{F^ Vars). A strand is a sequence of nodes. A protocol is a set of 
strands. 

For instance, consider the NSL® protocol [8]: 
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(BSCA) E. 



Msg 1. A^B : [NA,A]pu(B) 
Msg 2. B ^ A:[Na®B, NB\pk{A) 
Msg 3. A ^ S : [NB]pk(B) 



Then, NSL^ — {role a , roles}, where, 
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rolcA = [+[A,NA]pk(B),-[NA® B,NB]pk(A),+[NB]pk{B)], and 
roles = [-[ANA]pk{B),+[NA®B,NB]pk{A),-WB]pk{B)]- 

A semi-bundle S for a protocol P is a set of strands formed by applying 
substitutions to some of the variables in the strands of P: If P is a protocol, 
then, semi-bundle(S, P) ^ (Vs e S){{3r e P;a){s = ra)). 

For instance, S = {sai, Sa2, Sfci, S62} below is a semi-bundle for the NSLq 
protocol with two strands per role of the protocol: 

Sal = [+[ai,nal]pk{Bl), -[rial ® Bl, NBl]pk{Al)i +[NBl]pk{Bl)], 

Sa2 = [+[a'2,na2]pk(B2),-[na2 ® B2, NB2]pk(A2), +[NB2]pk{B2)], 

Sbl = [-[A3,NA3]pk{bl),+WA3®bl,nbi]pk(^A3),-[nbl]pk(bl)], 

Sb2 = [-[^4, NAi\pk{b2),+[NA4 ® b2, n62]pfc(A4) , - [?^62]pfc(62)] • 

(Note: lower-case symbols are constants and upper-case arc variables). 

We will assume that every protocol has a set of variables that are consid- 
ered "fresh variables" (e.g. Nonces and Session- keys). If P is a protocol, then, 
FreshVars(P) denotes the set of fresh variables in P. We will call the constants 
substituted to fresh variables of a protocol in its semi-bundles as "fresh con- 
stants" and denote them as PreshCons{S). i.e.. If semi-bundle(S', P), then. 

We assume that some fresh variables are "secret variables" and denote them 

as SecVars{P). We define "SecConsQ" to return "secret constants" that were 
used to instantiate secret variables of a protocol: If semi-bundle(5', P), then, 

SecCons(S) ^ L ^ ( e P; s G S;\ ( {ra = s) A (X G SecVars{P))A\ \ 
becCons[S) - | ^ Ij^ ^. ^ ) [ {x = Xa)A{x€ Constants) ) j ' 

For instance, Na and A''^ are secret variables in the NSL© protocol and 
?ioi , 'T^a2 , 'T^5i , "'62 arc thc sccrct constants for its semi-bundle above. 

We will lift the functions Vars(), Constants{), and SubTerms{) to strands, 
protocols and semi-bundles. For instance, if P is a set of strands and r G P, 
then, 

SuhTerms{r) = {t \ (3i')(((-, t') in r) A (t € Sub Terms {t')))}, 
SubTerms{P) = {t \ (3r e P){t G SubTerms{r))}. 

We also define the long-term shared-keys of P as LTKeys{P), where, 

LTKeys{P) = {x \ {3A,B){{x = sh{A,B)) A{x€ Sub Terms {P)))}. 

To achieve our main result, we need to make some assumptions. Most of our 
assumptions are reasonable, not too restrictive for protocol design and in fact, 
good design practices. 
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As noted in [9], we first need an assumption that long-term shared-keys are 
never sent as part of the messages in the protocol, but only used as encryption 
keys. Obviously, this is a safe and prudent design principle. 

Without this assumption, there could be multi-protocol attacks even when 
Guttman-Thayer suggestion of tagging encryptions is followed. For instance, 
consider the following protocols: 



Pi 


P2 


1. a — !■ s : sh{a, s) 


1. a^b: [l,na]sh(a,s) 



Now the message in the second protocol could be decrypted and Ua could be 
derived when it is run with the first protocol. 

To formalize this assumption, we define a relation interm denoted (e on terms 
such that, 

- t(£t' ift^t', 

- t (s . . . ,t„] if (< <E ii V . . . V f (E t„), 

- t d [t']k if {t ^ <'), 

- < (E e . . . ® i„ if (i (E ti) V . . . V (E t„). 

Notice that an interm is also a subterm, but a subterm is not necessarily an 
interm. For instance, n^, is an interm and a subterm of © [a]^, while Uf, is a 
subterm, but not an interm. 

Interms are useful in referring to the plain text of encryptions or everything 
that can be "read" by the recipient of a term. Contrast these with the keys of 
encrypted terms, which can only be confirmed by decrypting with the corre- 
sponding inverses, but cannot be read (unless included in the plain-text). 

Assumption 1 If P is a protocol, then, there is no term of P with a long-term 
key as an interm: 

(Vt e SubTerms{P)){{$t' (e t){t' e LTKeys{P))). 

It turns out that this assumption is not sufficient. As noted by an anonymous 
reviewer of this workshop, we also need another assumption that if a variable 
is used as a subterm of a key, then there should be no message in which that 
variable is sent in plain (since a long-term shared-key could be substituted to 
the variable as a way around the previous assumption). 

Hence, we state our next assumption as follows: 

Assumption 2 // [ij^ is a subterm of a protocol, then no interm of k is an 
interm of the protocol: 

(V[<]fe e SubTerms{P)){{$X ^ k;t' e SubTerms{P)){X (e t')). 

Next, we will make some assumptions on the initial intruder knowledge. We 
will denote the set of terms known to the intruder before protocols are run, IIK . 
We will first formalize the assumption that he knows the public-keys of all the 
agents: 
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Assumption 3 (Vx e Constants){pk{x) e IIK). 

In addition, we will also assume that the attacker knows the values of all the 
constants that were substituted by honest agents for all the non-fresh variables 
(e.g. agent identities a,b etc.), when they form semi-strands: 

Assumption 4 Let P be a protocol. Then, 

,^ ,„ r,^ f f semi-bundlefS', P) A (ro- e 5')A \ , rrT^^\ 

(Vx/X ea;reP)[^[^^^^ Constants) a\x i FreshVars{P)) j ^ ^ ^^^^ ) " 

Finally, we make another conventional assumption about protocols, namely 
that honest agents do not reuse fresh values such as nonces and session-keys: 

Assumption 5 Let 81,82 be two different semi-bundles. Then, 

FreshCons{8i) D FreshCons{82) = {}■ 

2.3 Constraints and Satisfiability 

In this section, we will formalize the concepts given in |10lllj to generate sym- 
bolic constraints from node interleavings of semi-bundles and the application of 
reduction rules to determine satisfiability of those constraints. 

Definition 4. [Constraints, Constraint sequences] A constraint is a tuple 
(m, T) denoted m : T , where m is a term called the target and T is a set of 
terms called the term set. If 8 is a semi-bundle, then, cs is a constraint sequence 
of 8 , or conseq(cs, 8) if every target term in cs is from a — node of 8 and every 
term in every term set in cs is from a + node of 8. 

A constraint sequence cs is simple or simple(cs) if all the targets are vari- 
ables. Constraint c is an "active constraint" of a constraint sequence cs (denoted 
act(c, cs)) if all its prior constraints in cs, but not itself, are simple constraints. 
We denote the sequences before and after the active constraint of a sequence cs 
as cs< and cs> respectively. 

In Table [T] we define a set of symbolic reduction rules. Rules, that can be 
applied on the active constraint of a constraint sequence. 



concat 


[ti,...,tr,]:T 


ti : T,. . . ,tn '. T 


split 


t ■.TU[tl,...,tr^] 


t:TUtiU...Utn 


penc 




k:T,m:T 


pdec 


m : U T 


m:tUT 


senc 


Hr : T 


k:T,m:T 


sdec 


m : [t]t^ U T 


k:T,m:TU{t,k} 


xorr 


m : TUti . . . ei„ 


t2e ...et„ -.T, 

m:TUti 


xori 


ii © . . . © '. T 


i2 . . . tn : r, 
ti : T 



Table 1. Set of reduction rules, Rules 
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The first column is the name of the rule, the second and third columns are 
the active constraints before and after the application of the rule. 

We define a predicate appl() on each of these rules, that is true if the rule 
under consideration is applicable on the active constraint of the given constraint 
sequence. The predicate takes the name of the rule, the input sequence cs, the 
output sequence cs' , input substitution cr, output substitution cr', and the theory 
Th considered as arguments. For instance, we define xor,. as foUowfQ 

appl(xor„ cs, cs ,a,a , Th) ^ (Bm, T, t) = [^^ ^ . . . i„ : T, m : T U tr]- c 

We left out two important rules in the table, un and ksub, that change the 
attacker substitution through unification. We describe them next: 



appl(un, cs, cs', cr, cr', Th) {3m,T,t) 



act(r7i -.Tut, cs) A (cs' = cs<r cs>t)A 
(o-' = U t) A (r e UE{{m =e t})) 



/act(TO : TU [i]^,cs)A 
appl(ksub, cs,cs',cr,cr', Th) ^ (3m,r,t) (cs' = cs<T-^[mT : TtU [t]];T]-csyT)A 

V (a' - a U r) A (r e UE{{k pk{e)})) 

(Note: e is a constant of type Agent representing the name of the attacker). 

We will say that a constraint sequence cs' is a child constraint sequence of 
another sequence cs, if it can be obtained after applying some reduction rules 
on cs: 



childseq(cs, cs', Th) ^ (3ri, 



'appl(ri, cs, csi, cr, CTi, Th)A 
Fn € Rules) I appl(r2, csi, CS2, cr^, cr2, T/i) A ... A 
appl(r„,cs„_i,cs',cr„_i,CT„, Th) 



We now define "normal" constraint sequences, where the active constraint 
does not have sequences on the target or in the term set and has stand-alone 
variables in the term set (also recall that by definition, the target term of an 
active constraint is not a variable): 



normal(cs) 4=> 



( act{m : T,cs)A \ 

{$ti,...,tn){[ti,...,tn] =m)A 

((VteT)((^ti,...,t„)([ti,...,t„]=i))A 
V {ytcT){ti Vars)) J 



Next, we will define a recursive function, normalize{), that maps constraints 
to constraint sequences such that: 

normalize{m :T) — [m : T], if normal(m : T); 

= normalize{ti : T)'~' . . normalize(tn : T) if m = [ti, . . . , i„]; 
= normalize{m : T' U ii U . . . U i„) if T T' U [ti, . . . , 



is the sequence concatenation operator. 
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We will now overload this function to apply it on constraint sequences as 
well: 

normalize{cs) — cs, if normal(cs) 

= cs^ normalize{c)'~csy, if act(c, cs). 

We define satisfiability of constraints as a predicate "satisfiable" which is true 
if there is a sequence of applicable rules which reduce a given normal constraint 
sequence cs to a simple constraint sequence cs„, in a theory Th, resulting in a 
substitution (t„: 



satisfiable(cs, cr„, Th) ^ 
/appl(ri, cs, csi, {}, fJi, r/i)A \ 
app\{r 2, cs[,cs2,cr I, (T2, Th) A . . . A 
(3ri,...,r„ e Rules) appl(r„, cs^_i, cs„, cr„„i, cr„, Th)A 
simple(cs„)A 
\ (Vi e {1, . . . , n})(cs^ — normalize {csi)) j 



(1) 



Notice the last clause which requires that every constraint sequence be nor- 
malized before any rule is applied, when checking for satisfiability. 

This definition of satisfiability may seem unusual, especially for the puritans, 
since satisfiability is usually defined using attacker capabilities as operators on 
sets of ground terms to generate each target on constraints. 

However, it was proven in that the decision procedure on which our 
definition is based, is sound and complete with respect to attacker capabilities 
on ground terms in the presence of the algebraic properties of XOR. Hence, we 
defined it directly in terms of the decision procedure, since that is what we will be 
using to prove our main theorem. We refer the interested reader to [TDl and [TT] 
for more details on the underlying attacker operators, whose usage is equated to 
the decision procedure that we have used. 

Note also that our definition only captures completeness of the decision pro- 
cedure wrt satisfiability, not soundness, since that is the only aspect we need for 
our proofs in this paper. 



2.4 Security properties and attacks 

Every security protocol is designed to achieve certain security goals such as key 
establishment and authentication. Correspondingly, every execution of a proto- 
col is expected to satisfy some related security properties. For instance, a key 
establishment protocol should not leak the key being established, which would be 
a violation of secrecy. It should also not lead an honest agent to exchange a key 
with an attacker, which would be a violation of both secrecy and authentication. 

Our main result is general and is valid for any trace property such as secrecy, 
that can be tested by embedding the desired property into semi-bundles and 
then checking if constraint sequences from the semi-bundles are satisfiable: 
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Definition 5. [Secrecy] 

A protocol is secure for secrecy in the theory Th, if no constraint sequence 
from any semi-bundle of the protocol is satisfiable, after a strand with node that 
receives a secret constant is added to the semi-bundle, i.e., if P is a protocol, 
then, 



{$sec, cs, S) 



/ semi-bundle(S', P) A conseq(cs, -S')a\ 
(cs= [_:_,...,_: r])A 
(sec e SecCons{S))A 
\ satisfiable(cs'^ [sec : r],cr, T/i) / 



<^ secureForSecrecy(P, Th). 



2.5 Main Requirement - /x-NUT 

We now formulate our main requirement on protocol messages to prevent multi- 
protocol attacks, namely /x-NUT, in the SU A theory (an abbreviation for STDU 
ACUN). The requirement is an extension of Guttman-Thayer's suggestion to 
make encrypted terms distinguishable across protocols, to include XOR as well. 
We will first define a set XorTerms as: 

{t I {3ti, . . . , i„ G T{F, Vars))iti ® . . . ® t„ = t)}. 

We will also define a function EncSubt{) that returns all the encrypted sub- 
terms of a set of terms, i.e.. If T is a set of terms, then, EncSubt{T) is the set 
of all terms such that if t belongs to the set, then t must be a subterm of T and 
is an encryption: 

EncSubt{T) = {t \ {3t',k'){{t = [t']k^) A {t G Sub Terms (T)))}. 

Further, if P is a protocol, then 

EncSubt{P) = {t\te EncSubt{SubTerms{P))}. 

We are now ready to state the main requirement formally: 

Definition 6. [^-NUT] 

Two protocols Pi andP2 are ^-NUT -Satisfying , i.e., ^-NUT- Satisfying {Pi, P2) 

iff: 

1. Encrypted subterms in both protocols are not STD-Unifiable after applying 
any substitutions to them: 

(Vii e EncSubt{Pi),t2 G EncSubt{P2)){i$ai,a2){tiai =std ^2(72)). 

2. Subterms of XOR-terms of one protocol (that are not XOR-terms themselves), 
are not STD-Unifiable with any subterms of XOR-terms of the other protocol 
(that are not XOR-terms as well): 



'it€{ti,...,t,,})A{t' e{t[,...,t'jy 



yti ® . . . © f„ e SubTerms{Pi), 
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The first requirement is the same as Guttman-Thayer suggestion. The second 
requirement extends it to the case of XOR-terms, which is our stated extension 
in this paper. 

The NSL0 protocol can be transformed to suit this requirement by tagging 
its encrypted messages as follows: 

Msg 1. A^B: [nsle, A^A, ^]pfc(s) 

Msg 2. B^A: [nsl®, [nsl®, A^a] © [nsl®, B], iVslpfcCA) 

Msg 3. A^B: [nsl®, A^B]pfc(s) 

The constant "nsl®" inside the encryptions can be encoded using some suit- 
able bit-encoding when the protocol is implemented. Obviously, other protocols 
must have their encrypted subterms start with the names of those protocols. 



3 A Lynchpin Lemma 

In this section, we provide a useful lemma that is the lynchpin in achieving our 
main result. We prove in the lemma that, if we follow BSCA for (S U A)-UPs 
that do not have XOR terms with variables, their ACUN subproblems will have 
only constants as subterms. 

Lemma 1. [ACUN UPs have only constants] 

Let r = {to =sua t} be a {SU A)-UP that is (S U A)-Unifiable, and where no 
subterm of m or t is an XOR term with free variable^ 

, / ((x C to) V (x C t)) A (n e N)A ^ \ 



Th 



en, 



(Vto' 4cun i' e r,.;,) ( ( «^ ^J'l^ ^ (y e Constants) 

\^ Y l"' —ACUN C ) 

Proof. Please see Appendix [B| Lemma [2] 



4 Main result - /^-NUT prevents multi-protocol attacks 

We will now prove that ^-NUT- Satisfying protocols are not susceptible to multi- 
protocol attacks. 

The idea is to show that if a protocol is secure in isolation, then it is in 
combination with other protocols with whom it is ji-NUT- Satisfying. 

To show this, we will achieve a contradiction by attempting to prove the 
contrapositive. i.e., if there is a breach of secrecy for a protocol in combination 
with another protocol with which it is fi-NUT- Satisfying, then it must also have 
a breach of secrecy in isolation. 

We assume that the reader is familiar with BSCA (detailed description in 
Appendix |A]) . 

^ N is the set of natural numbers. 
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Theorem 1. // a protocol is secure for secrecy, then it remains so in combina- 
tion with any other protocol with which it is ii -NUT -Satisfying. 

Proof. Suppose Pi is a protocol that is secure for secrecy in isolation in the S U A 
theory, i.e., secureForSecrecy(Pi, S U A). Consider another protocol P2 such that, 
jjL-HWT -Satisfying {Pi ^ P2). Let, Si and S2 be two semi-bundles from Pi and P2 
respectively: 

semi-bundle(S'i, Pi) A semi-bundle(S'2, Pa). 
Consider a constraint sequence combes from Scomb = 5*1 U 6*2. i.e., 

conseq ( combes , Scomb ) ■ 

Consider another constraint sequence isoes, where, 

(a) Targets in combes are targets in isocs if the targets belong to Si: 

(Vto : _ in combcs){{m G Terms{Si)) (m : _ in isocs)). (2) 

(b) Term sets in combes are term sets in isocs but without terms from ^2: 



Vtoi : Ti, 

TO2 : T2 \n combes 



mi : Ti -< 



combes 



m2 : T2 



{mi : T{ ^^socs mi ■.T^)A 
{3Ti,T^) I {Ti = Ti \ Ti') A {T^ = T2 \ T!{) 
(Vi e Ti" U T!^){t e SubTerms{S2)) 



\ 



I 



(3) 



Then, from Def. |4] (Constraints) we have: conseq(isocs, 6*1). 

Suppose combes and isocs are normalized. To achieve a contradiction, let 
there be a violation of secrecy in Scomb s.t. combes is satisfiable after an artificial 
constraint with a secret constant of 5*1, say sec, is added to it: 



{combes = [_:_,...,_: T]) A satisfiable(com&cs'"[sec : T], _, S U A). (4) 

Suppose [ri, . . . , r„] — R, such that ri, . . . , r„ g Rules. Then, from the defi- 
nition of satisfiability ([T]), using R, say we have: 



/ {combes = [_:_,...,_: T])A \ 

appl(ri, combes^[see : T], combcsi, {}, cri, S U A)A 

appl(r2, combes'i, combcs2, cti, (72, S U A) A . . . A 

appl(r„, eombes'^_i, combes^ <Jn-ii <^ni S U A)A 
y simple(com&cs„) A (Vi € {1, . . . , n}){combcs'^ ~ normalize{eombes i)) J 



(5) 



From their descriptions, every rule in Rules adds subternis of existing terms 
(if any) in the target or term set of the active constraint: 
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'appl(_, cs, cs', _) A act(m : T, cs)A 
act(TO' : T', cs') A (x e T' U {m'}) 



(x G Sub Terms {T [J {to})). (6) 



Since every combes^ (i = 1 to n) in ([s]) is normalized, and since Pi and P2 
are fi-HUT- Satisfying, we have: 

(act(m : T, combcs[)A \ 
{ti®...®tp&TU{m})^ . (7) 
(Vje{l,...,ri)(i, ^ Fars)/ 

Suppose chcombcs is a normal, child constraint sequence of combes and 
chisocs is a normal, child constraint sequence of isocs. 

Now all the rules in Rules are applicable on the target of the active constraint 
of chisocs, if they were on chcombcs, provided they are applied on a term of Si: 



appl(r, chcombcs, chcombcs' , _, _, S U A)A 
(Vr G Rules) act(TO : _, chcombcs) A act(TO' : _, chcombcs')A 

act(TO : chisocs) 
appl(r, chisocs, chisocs , S U A) A act(m' : chisocs ) ) . 



(8) 



Similarly, all rules that are applicable on a term in the term set of the active 
constraint in chcombcs, say c, are also applicable on the same term of the active 
constraint in chisocs, say c' (provided the term exists in the term set of c' , which 
it does from ^ and ([6|): 



(appl(r, chcombcs, chcombcs' , S U A)A \ 
act{- : -U t, chcombcs) A act{- : T' , chcombcs') A => 
act(_ : _U t, chisocs) J ^ ' 

( appl(r, chisocs, chisocs' , _, _, S U A) A act(_ : _ U T' , chisocs') ) . 

un and ksub arc the only rules that affect the attacker substitution. We will 
show that these are equally applicable on chcombcs and chisocs as well. Suppose: 

— r = {to =sua i\, is a (S U A)-UP and suppose to — m'acomb, t — t'cfcomb, 
where to' G SubTerms{Si); 

— Variables in a comb are substituted with terms from the same semi-bundle: 

{^x/X G aco,„b)((3^ G {l,2}){x,X G SubTerms{S,))). (10) 

— r is (S U A)-Unifiable. 

Let T G UsuA{r) and let Arh denote a T/i-UA. Using Def. [t] (Combined 
Unifier), say we have that r G tstd tacun where tstd G j4std(P5.i) and 
TAcm G ^acun(A.2)- 

Now from BSC A, if toi =std ti G and p G UsToi'm-i ==std ^i), then we 
have the following cases: 
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Variables. If mi, and/or ti are variables, from ^ and BSCA, they are necessar- 
ily new i.e., mi,ti g Vars \ Vars{r) (unless m and t are variables, which they 
are not, since chcomhcs is normal). Hence, there are no new substitutions in p 
to Vars{r) in this case. 

Constants. If mi G Constants (Si), again from BSCA, ti cannot belong to Vars, 
and it must be a constant. If mi is a fresh constant of 5*1, then ti must also 
belong to ^i from the freshness assumption ([s]) and (10 1, and if mi is not fresh, 



ti could belong to either SubTerms{Si) or IIK from Assumption |4j Further, 
P = {}- 

Public Keys. If mi = pk{-), then ti must be some pk{_) as well. From BSCA, 
mi cannot be such that [-]^-^ C m. Further, there cannot be an XOR term, say 
. . . © mi © . . . that is a subterm of m, from /x-NUT Condition 2. The only other 
possibility is that m = mi. In that case, t must also equal ti, whence, t can 
belong to IIK from assumption [s] (Intruder possesses all public-keys). Hence, 
{yx/X £ p){{3i e {l,2}){x,X e SubTerms{Si))). 

Encrypted Subterms. Suppose mi = rnnacomb, ti — tnUcomb, G EncSubt{SiU 

82). Then, from ^-NUT Condition 1 and ([6|, we have, mii,iii e EncSubt{Si), 
where i G {1,2}. Hence, (Vx/AT e p){{3i e{l,2}){x,X e SubTerms{S.j))). 

Sequences. If mi is a sequence, either m must be a sequence, or there must 
be some ... © mi © . . . belonging to S ub Terms {{m,t}), from BSCA. But m 
and t cannot be sequences, since chcombcs is normal. Hence, by /i-NUT Condi- 
tion 2 and ([6]), mi,ti e SubTerms{Si)acomb, * G {li2} and (ix/X e /o)((3i G 
{l,2})(a;,A G 5'M&rerms(S'i))). 

In summary, we make the following observations about problems in /5.I. 

If mi is an instantiation of a subterm in Si, then so is ti, or ti belongs to 
IIK: 



(Vmi =STD ti G /5 i)(mi G SuhTerms{Si)a comb ^i G SubTerms{Si)acomb^IIK). 

(11) 

Every substitution in tstd has both its term and variable from the same 
semi-bundle: 

{Vx/X G TsTD)((3i G {1, 2}){x, X G 5'u6Terms(S',))). (12) 
Now consider the UPs in 15.2- Applying ([t]) into Lemma [T] we have that 



tacun = {}• Combining this with (12), we have 



{Vx/X G T){{3i G {l,2}){x,X G SubTerms{S^)<Jco,nb))- (13) 

Suppose m = mi © ... © rup and i = ii © . . . © i,; p, q > 1, x = mr, 
y — tr and m" =sua a; where m" = m'l © ... © m^,, s.t. (V?, j G {!,... ,p'})(* 7^ 
j ^ m-r ^suA m'jT) and =sua 2/, where = ii © . . . © t^,, s.t. (Vz, j G 
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{1, . . . , q'}){i 7^ i =^ t^T T^suA t'j''')- Informally, this means that, no two terms in 
{m[, . . . , m'p,} or {t[,. . . , t'^,} can be cancelled. 

Suppose r^p = /5.1, where ■(/; is a set of substitutions. Then, mr =sua tT 
implies, (Vi e {!,..., p'}){{3j G {1, . . . , g'DKrV- =std M)) with p' 



q- 

From (11), this means that m e Sub Terms (Si) a comb implies, t also belongs to 
Sub Terms (Si) a comb or IIK. 

Now since Vars{m') U Vars(t') C Vars{Si), we have, rn'acomb = TTT-'oiso, and 
t'cTcomb = tViso, where fj com!) = crjsoU{a;/X \x,X £ SubTerms{S2)}- Combining 

=SUA t'cTisoT. 



this with (13), we have that, m'acombT =sua t'<^combT 



Combining these with ([2]) and ([s]), we can now write: 



(ychcombcs, chisocs) 



/ cW\\dseq{chcombcs , combes, S U A)A 
ch\\dseq(chisoes , isocs, S U A)A 
appl(un, cheombcs, ehcombcs' , a comb, <^comb' S U A) 
y appl(un, chisoes, ehisoes , (Jiso, o-'iso, S U A) 



(14) 

where, the active constraint in chcombes and chisocs only differ in the term 
sets: 



act(m : _U t, combes) A act(m : _U t, isoes)A 

{combes' = combes ^t'~' combes ^t) A [isocs' = isocs^T^ isocsyT)/\ 



Wcc 



^6 U r) A (cr^,o ^ct^oUt) A(r e (S U A)-?7i5M((m, i))) 



Finally, we can combine, ([5|, ([s]), ([9]), and (14) to infer 



^ {isocs = (_:_,...,_: T)) A appl(ri, isocs'~'[sec : T], isocsi, {}, Ui, S U A)a\ 

appl(r2, isoes'i, isocs2, cri, cr2, S U A) A . . . A 

appl(rp, isocSp„]^, isoesp, Up-i, o-p, S U A)A 
\ simple(jsocsp) A (Vi G {1, . . . ,p}){isocs[ = normalize {is ocsi)) J 

(15) 

where [ri , . . . , rp] is a subsequenc^ of R (defined in [5]) . 

This in turn implies satisfiable(zsocs'~~sec : T, tip, SU A) from the definition of 
satisfiability. 

We can then combine this with the fact that S\ is a semi-bundle of Pi, and 
isocs is a constraint sequence of 5*1 and conclude: 

semi-bundle(S'i, Pi) A conseq(isocs, 5i) A {isocs — [_:_,...,_: r])A 
satisfiable(isocs'"[sec : T], Up, S U A). 

But from Definition [s] (Secrecy), this implies, ^secureForSecrecy(Pi, S U A), 
a contradiction to the hypothesis. Hence, Pi is always secure for secrecy in the 
(S U A) theory, in combination with P2 with which it is /.i-NUT- Satisfying. 

^ s' is a subsequence of a sequence s, if s = _"s''~~_. 
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5 Conclusion 

In this paper, we provided a formal proof that tagging to ensure non-unifiabihty 
of distinct encryptions prevents multi-protocol attacks under the AC UN proper- 
ties induced by the Exclusive-OR operator. We will now discuss some prospects 
for future work and related work. 

5.1 Future work 

Other equational theories can be handled in the same way as the AC UN theory: 
When we use BSCA, the UPs for them (15.2) will only have constants as sub- 
terms. Hence, unifiers only from the algorithms for standard theory problems 
need to be considered for fi-N\JT- Satisfying protocols. Of course, this reasoning 
has to be given within a symbolic constraint solving model that takes the addi- 
tional equational theories into account (the model we used, adapted from 
was tailored to accommodate only ACUN). 

We achieved our main result specifically for secrecy. The reason for this was 
that, in order to prove that attacks exist in isolation if there did in combination, 
we had to have a precise definition as to what an "attack" was to begin with. 
However, other properties such as authentication and observational equivalence 
can be considered on a case-by-case basis, with a similar proof pattern. 

At the core of our proofs is the use of BSCA for combined theory unification. 
However, BSCA is applicable only for disjoint theories that do not share any 
operators. For instance, the algorithm cannot consider equations of the form, 
[a,b] © [c,d] = [a® c,5® d]. 

We plan to expand our proofs to include such equations in future, possibly 
with the help of new unification algorithms |12j . 

5.2 Related work 

To the best of our knowledge, the consideration of algebraic properties and/or 
equational theories for protocol independence is unchartered waters. 

A study of multi-protocol attacks with the perfect encryption assumption re- 
laxed was first reported by Malladi et al. in [T3] through "multi-protocol guess- 
ing attacks" on password protocols. Delaune et al. proved that these can be 
prevented by tagging in [T^ . 

The original work of Guttman et al. in ,1, assumed that protocols have no 
type-flaw attacks when they proved that tagging to ensure disjoint encryption 
prevents multi-protocol attacks. But a recent work by Guttman seems to relax 
that assumption [15]. Both [1] and [15] use the strand space model [Z|. Our 
protocol model in this paper is also based on strand spaces, but the penetra- 
tor actions are modeled as symbolic reduction rules in the constraint solving 
algorithm of |llllOj . as opposed to penetrator strands in [7]. Cortier-Delaune 
also prove that multi-protocol attacks can be prevented with tagging, which is 
slightly different from [T] and considers composed/non-atomic keys [TB]. They 
too seem to use the constraints model as their protocol framework. 
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In [17], we prove the decidability of tagged protocols that use XDR with the 
underlying framework of [TT] which extends [TD] with XOR. That work is similar 
to our proofs, since we too used the same framework (TT). Further, we use 
BSC A [6 as a core aspect of this paper along the lines of (ITJ. Recently, we used 
a similar proof pattern to prove that tagging prevents type-flaw attacks under 
XDR and most likely under other cquational theories in [l^ • Lemma [I] in the 
current paper was also the lynchpin in 18 . 

In [TS], Kuesters and Truderung showed that the verification of protocols 
that use the XOR operator can be reduced to verification in a free term algebra, 
for a special class of protocols called ®-linear protocolf]^ so that ProVerif can be 
used for verification. Chen et al. recently report some extensions to Kucstcrs- 
Truderung's work p^. 

These results have a similarity with ours, in the sense that we too show 
that the algebraic properties of XOR have no effect when some of the messages 
are modified. However, we believe that our result is more general than these, 
since any protocol can be tagged to satisfy our requirements, but not necessarily 
©-linearity. 

Acknowledgments. I am thankful to Yannick Chevalier for explaining his protocol 
model in [TT], Pascal Lafourcade for many useful remarks and the anonymous 
reviewers for their helpful suggestions. 
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A Bader &: Schulz Combined Theory Unification 
Algorithm (BSCA) 

We will now consider how two UAs for two disjoint theories Thi and Th2 respec- 
tively, may be combined to output the unifiers for UPs made using operators 
from Thi U Th2 using Baader & Schulz Combination Algorithm (BSCA) [6]. 

We first need some definitions. Suppose F is a signature for a set of identities 
E and let Th denote the theory — e ■ Then, a term is pure wrt Th iff every subterm 
of it is an i^-term. i.e., 



We define a predicate ast (alien subterm) on terms such that, a term t' is an 
alien subterm of another term t wrt the theory Th, if it is a subterm of t, but is 
not pure wrt Th: 



BSCA takes as input a ( Thi U r/i2)-UP, say F, and applies some transforma- 
tions on them to derive F^a and 1^5.2 that are T/ii-UP and T/12-UP respectively. 

Step 1 (Purify terms) BSCA first "purifies" the given set of (Th ^ Thi U 

r/i2)-UP, F, into a new set of problems Fi, such that, all the terms are pure wrt 
Thi or T/12. 

If our running example was F, then, the set of problems in Fi are W =std 

[^,na]pk{B), X =STD [1, A^s]pfc(a),^ =STD [2, A], Z =STD [2,6], and W =ACUN 

X (S) Y Q) Z , where W, X, Y, Z are obviously new variables that did not exist in 
F. 

Step 2. (Purify problems) Next, BSCA purifies Fi into F2 such that, every 
problem in F2 has both terms pure wrt the same theory. 

For our example problem, this step can be skipped since all the problems in 
Fi already have both their terms purely from the same theory (STD or ACUN)). 

^ We omit the superscript — >■ on encrypted terms in this problem, since they obviously 
use only asymmetric encryption. 



pure(t, Th) ^ {W C t){{3f e F){t' = /(_, . . . , _))). 



(Vt,i', r/i)(ast(t',t, Th) ^ {t' n t) A ^pure(t', Th)). 




{ [1, na]pk(B) -STDUACUN [1, A^B]pfc(a) ® [2, A] ® [2, b] } . 



20 Sreekanth Malladi 



Step 3. (Variable identification) Next, BSCA partitions Vars{r2) into a 
partition VarldP such that, each variable in 1^2 is replaced with a representative 
from the same equivalence class in VarldP. The result is F^. 
In our example problem, one set of values for VarldP can be 

{{A},{B},{Nb},{W},{X},{Y,Z}}. 

Step 4. (Split the problem) The next step of BSCA is to split Is into two 
UPs Fa x and 74.2 such that, each of them has every problem with terms from 
the same theory, Thi or Th2- 
Following this in our example, 

{? ? ? ? 1 

and 

Fi.2 = {w =/^cmX®Y®YY 

Step 5. (Solve systems) The penultimate step of BSCA is to partition all the 

variables in F^ into a size of two: Let p = {Vi, V2} is a partition of Vars{F^). 
Then, the earlier problems (A.i, A. 2) are further split such that, all the variables 
in one set of the partition are replaced with new constants in the other set and 
vice- versa. The resulting sets arc /5.1 and 15.2- 

In our sample problem, we can form {Vi, V2} as { Vars{F3), {}}. i.e., we choose 
that all the variables in problems of 75.2 be replaced with new constants. This 
is required to find the unifier for the problem (this is the partition that will 
successfully find a unifier). 

So 75.1 stays the same as -Ti.i, but 7^5.2 is changed to 

7^5.2 = A.2/3 = {w =ACUN X © y e r} /3 = =acun X © y ® y} . 

i.e., = {w/W, x/X, y/Y}, where, w, x, y are constants, which obviously did 
not appear in 75.1. 

Step 6. (Combine unifiers) The final step of BSCA is to combine the unifiers 
for 75.1 and 75.2, obtained using Axhi and ATh^' 

Definition 7. [Combined Unifier] 

Let F he a Th-UP where (Thi U r/12) = Th. Let Ui € AThi{r5.i), i € {1,2} 
and let Vi = Vars{F5,i), i e {1,2}. 

Suppose '<' is a linear order on Vars{F) such that Y < X if X is not a 
subterm of an instantiation ofY: 



(VX,F e Vars{F)){{Y < X) ^ {Mi^ C Ya)). 
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Let least(X, T, <) be defined as the minimal element of set T, when ordered 
linearly by the relation "< '. i.e., 

least(X, T, <) ^ (Vr G T){{Y ^ X) ^ {X < Y)). 
Then, the combined UA for F, namely AThiUTh27 is defined such that, 

ATh.UTh^ir) = W I (3(Ti,(72)((ct = tTl©CT2)A(tTl G ^ T/^i (^5.1 )) A (ct2 G Ay/.^ (^5.2)))}- 

where, if cr = ai Q a2, then, 

— The substitution in a for the least variable in Vi and V2 is from ai and a-i 
respectively: 

(yi e {1, 2}){{X e V^) A least(X, Vars{r), <) {Xa = Xai)); and 

— For all other variables X , where each Y with Y < X has a substitution al- 
ready defined, define Xa = Xaia [i G {1,2}); 

(V* e {1,2})((VX e V,WY){{Y < X)A {3Z){Z/Y e a))) ^ {Xa = 
Xa,a)). 

B Proofs 

The following lemma concerns combined unification problems involving STD 
and ACUN theories. We prove that, if we follow Bader & Schulz approach for 
finding unifiers for these problems, ACUN subproblems will have only constants 
as subterms. Consequently, we will end up in an empty set of substitutions 
returned by the ACUN UA for the ACUN UPs, even when the XOR terms are 
equal in the ACUN theory. 

Lemma 2. [ACUN UPs have only constants] 

Let F = {m =suA t} &e a (S U A)- UP that is (S U A)-Unifiable, and where no 
subterm of m or t is an XOR term with free variable^ 

, / ((x C m) V (.T C t)) A (n e N)A ... ... . 

{yx) \y ^ J^ ^ ^ ^'^^ ^ =^ (Vi e {1, . . . , n}){x, i Vars) 

Then, 

(Vm' 4cuN t' e F,2;y) f f «^ ^ ™') ^ »M (y e Constants)) 

W (m =ACUN t ) J J 



N is the set of natural numbers. 
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Proof. Let cr be a set of substitutions s.t. a G ^(sua)(-^)- 

Then, from Def.[7] (Combined Unifier), a e ai(D(T2, where ai G Asjoir^.i) 
and 0-2 e Aacun(^5.2)- 

Suppose there is a term i in _r with an alien subterm t' wrt the theory ACUN 
(e.g. [1, Ua]]^ (Bb(B c with the aUen subterm of [1, ?^a]fc*)• 

Then, from the definition of it must have been replaced with a new 
variable in 7^2 • i-G-j 



Nf f) ( ( (^er)A(t = _®...®_)A\ / {X -ACUNi'G/^2)A\\ 

^^^''>\\ {t'^t)A2st{t',t,kQm) j^^^'^'y {X&NewVars) j)' 

(16) 

where NewVars C Vars \ Vars{r). 

Since XOR terms do not have free variables from hypothesis, it implies that 
every free variable in an XOR term in /2 is a new variable: 

(VM'.((<'t.^'5r,?'f™r)-'''^— 

Since every alien subterm of every term in F has been replaced with a new 



variable (16), combining it with (171, XOR terms in 1^2 niust now have only 



constants and/or new variables: 

(Vt, t') ([^'^2) Mi'''c^t) ) ^ ^ NewVars U Constants)^ . (18) 
Let VarldP be a partition of Vars (1^2) and Is — /2P, such that 

? ? ? ? 

-^"2^ = {s =ACUN i I (s =ACUN t ■= s'p =ACUN t' p) A s' =ACUN € -T} 



where p is the set of substitutions where each set of variables in VarldP has 
been replaced with one of the variables in the set: 

p=\x/X\ (Vyi/Xi,y2/^2 e P\ vip € VarldP) (Yi =Y2)A ] ] \. 
[ V V iYi,Y2evtp) J J J 

Can there exist a substitution X/Y in p such that Y G NewVars and X G 
Vars(r)? 

To find out, consider the following two statements: 



— From (16), every new variable Y in /2 belongs to a STD-UP in /2: 

(Vr e A^ew Vars)((r e Varsir2) => (3t)(pure(i, STD) A F =acun t G r2))). 



Protocol independence through disjoint encryption under Exclusive-OR 



23 



— Further, from hypothesis, we have that XDR terms in F do not have free 
variables. Hence, every free variable is a proper subtern:j^ of a purely STD 
term: 

(VX e Vars{r)) ( {3t G r){{X C t) A pure(t, STD) A {X ^ t))) . 

The above two statements are contradictory: It is not possible that a new 
variable and an existing variable can be replaced with each other, since one 
belongs to a STD-UP, and another is always a proper subterm of a term that 
belongs to a STD-UP. 

Hence, VarldP cannot consist of sets where new variables are replaced by 
Vars{r). i.e., 

[fX, r , vip G VarldP) \ e Vars{r)) A (X/Y e p) 



Writing im in (18), we have. 



(Vi, t') (^rrr3)^A{t'^l% ) ^ e NewVars U Constants)^ . (20) 

Further, if a variable belongs to a UP of F^, then the other term of the UP 
is pure wrt STD theory: 



(VX G Vars(r3),t) I I , ''^^^ * ^ ^^^^ ] ^ {X e NewVars) A pure(i,STD) ) 
\\{t =AcuN Xen) J J 

(21) 

? ? 

Now suppose r4.2 = {s =acun t \ (s =acun t G /a) A pure(s,ACUN) A 
pure(t, ACUN)}, {Vi, F2} a partition of Vars{r) U NewVars, and 

-^5.2 = A. 2/^1 

where, /3 is a set of substitutions of new constants to Vi : 
/3 = {x/X I {X G Vi) A (x G Constants \ {Constants{r) U ConstoKte(r'5.i)))}. 
From hypothesis, 15.2 is ACUN-Unifiable. Hence, we have: 

(V(t)((Vto' =acun t' G r5,2){m'(T =ACUN i'cr) cr G Aacun(A.2))- 
Now consider a cr s.t. a G Aacun(A.2)- 



From (20), we have that XOR terms in 7^5 2 have only new variables and/or 



constants and from (21 ) we have that if X G Vars{r5,2), then there exists t s.t. 



X =STD i G r^.i and t is pure wrt STD theory. 



""^ t is a proper subterm oi t' ii t \Z t' A t ^ t' . 
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Suppose V2 ^ {}. Then, there is at least one variable, say X e VarsiF^.-i). 
This implies that X is replaced with a constant (say x) in r^,\. 

Since X is necessarily a new variable and one term of a STD-UP, this implies 
that X must equal some compound term made with StdOps. 

However, a compound term made with StdOps can never equal a constant 
under the STD theory: 

(^a/ e StdOps;ti, . . . ,tn;x G Constants){x =std f{ti, . . . ,tn)), 
a contradiction. 

Hence, cr = {}, V2 = {} and our hypothesis is true that all XOR terms in 2^5.2 
necessarily contain only constants: 



(Vm' =ACUN t' € A. 2; a;) ( (a; C m) V (a; C (a; e Constants) ) . 



